Wednesday, December 22, 2010

Last Friday, Google announced a new warning for hijacked sites displayed within search results. The new warnings say "This site may be compromised". Such results represent legitimate sites that have likely been hijacked to host spam which redirect users to another malicious domain

It is another step forward for Google in their battle to combat blackhat spam SEO, but this is not entirely new. Google was already displaying warnings for some of the hijacked sites, but not all of them. "This site may harm your computer.", was already previously displayed by Google for certain sites. In fact, several hijacked sites still have this warning. This particular warning appears for all pages within a potentially compromised domain, including hijacked sites, legitimate pages and spam. I don't know if Google plans to change these warnings to their new, and more accurate, warning.

Hijacked site with old warning

Google seems to be very hesitant to blacklist entire sites, and I can understand why. However, I hope they will be willing to add more warnings to their search results. This should result in webmasters being aware their website has been hijacked and Google users in turn should will become more aware of the Blackhat spam SEO issue.

Google has not however implemented this new warning correctly. I did a search for one the hijacked site, bizfarm.net. The warning is shown for http://bizfarm.net/ only and not for other compromised pages on the domain.

Warning about hijacked site

The home page does not actually redirect to a malicious page. But the spam pages, which are redirecting users to a fake AV page, do not have any warning in the Google search results. I tried other domains and saw the same type of issues.

No warning from Google about the actual malicious pages

Overall, very few domains have this new warning. Many hijacked domains continue to display no warning whatsoever. I have also checked search results for the recent popular search "mary lou henner". On December 19th, there were 10 malicious spam pages redirecting to a fake AV page, but only 3 of the results included warnings. These 3 warnings were the old "This site may harm your computer". No warnings were displayed, stating that the results may represent hijacked pages.

Finally, my biggest disappointment is that this new warning does not help users as much as it could, even if Google fixes the problems described above. When a user clicks on a link that Google showed as "may harm your computer", he is redirected to a warning page. Then the user has to enter the URL manually in the browser address bar to actually go the dangerous page. This means that the Referer header does not show "google.com", so in most cases the user will not be redirected to the malicious domain. However, when Google shows the new warning, the search result link points directly to the malicious spam page. The Referer shows that the user is coning from a Google search, and the spam page will redirect the user to a malicious domain.

This new warning has the potential to be a significant step forward in the fight against Blackhat spam SEO. More webmasters and more users will be aware of the issues over time, but first, Google has to display the warnings in the right place, below the actual malicious links, and extend their list of hijacked sites. Hopefully they will consider changing the malicious links as well, so that users have to do more than clicking on a single link to put themselves at risk.

Tuesday, December 21, 2010

It’s that time of year again. As I prepare for my annual pilgrimage to the Great White North to visit family, I also turn my attention to the annual tradition of predicting the future. The beauty of the security industry is that it’s never boring. Technologies race forward (often without security) and attackers continue to impress with their ingenuity. 2010 was another fun filled year and 2011 is sure not to disappoint. Enjoy.

1.Political Hacktivism - In the wake of Julian Assange’s arrest, following an already dramatic series of events in the ongoing Wikileaks saga, we gained insight into the power of political hacktivism in the social networked era. ProjectPayback, the series of Distributed Denial of Service attacks stemming from the movement known as Anonymous, succeeded in temporarily disabling major web sites and did so with limited means and no centralized leadership structure. Anonymous is not a coordinated group, it has no membership list and anyone serving as a spokesperson or leader is likely doing so unilaterally. Project Payback emerged quite literally overnight, encouraged the use of relatively unsophisticated DDoS tools such as Low Orbit Ion Cannon (LOIC) and yet was surprisingly effective. Traditionally, small, well-coordinated groups have been behind efforts related to political hactvism. Now however, we find ourselves in an era where complete strangers can quickly organize, coordinate and attack, and do so with relative anonymity. Welcome to the world of flash mob hactivism. Expect others to be inspired by the attention garnered by Operation Payback and stage similar attacks against corporations or government entities that have received negative press attention.

2.SSL Only Sites - Firesheep opened many eyes to an elephant that has been in the room for many years. While web applications commonly leverage SSL to protect login credentials, most sites shy away from SSL for general traffic once authentication is complete. This is common for a varietyofreasons such as performance and complexity, especially when sites tend to be a mashup of content hosted on a variety of different domains. Despite the challenges, Firesheep has forced web application owners to revisit the decision not to make sites SSL only, by brining side jacking to the masses - the ability to capture an authentication cookie and impersonate another user on an open network. With an increasingly mobile workforce accessing web based resources from coffee shops and airports, side jacking attacks are trivial. In 2011, expect a handful of major vendors to finally tackle this challenge head on and deploy SSL only websites.

3.Use and Abuse of the Cloud - In 2010, the Cloud Security Alliance (CSA) released the TopThreatstoCloudComputing. Included on that list of seven threats was the acknowledgement that attackers are drawn to the cloud for the same reasons as legitimate enterprises - low cost access to powerful computing resources. It is not uncommon to see botnet C&C servers or drop zones running on Amazon or Rackspace servers. This may occur due to legitimate hosts being infected or the attackers may purchase the services outright. The on-demand, self service nature of the cloud makes it difficult to prevent abuse up front, leaving cloud vendors to remove abusive accounts once complaints flood the help desk. For attackers that are used to quickly migrating servers as take downs occur, this is hardly a challenge, especially given the ease with which they can quickly spin up dozens of powerful instances at a low price (or free if stolen credit cards are involved). Expect the trend of cloud-hosted botnets to grow.

4.Indirect Data Breaches - 2010 is ending with a series of high profile data breaches including those affecting well known companies such as GawkerMedia and McDonald’s (via Silverpop). One thing that we’ve learned from these attacks is that credential theft is not only used to attack the affected domain, but also other sites due to the common practice of sharing the same username/password across numerous sites. Historically, there has been concern that single sign on systems such as Facebook Connect, create an Achilles heel - compromise one database and have access to many. We’re learning that the opposite can be true as well - by forcing people to have multiple logins, they’ll simply repeat one over and over again and their security is then only as strong as the weakest link in that chain - a riskier overall proposition that having one secure authentication source. As media reports of data breaches at popular sites continue, I expect an increasing number of web applications to offer SSO capabilities from well known brands such as Facebook as an option, especially on lesser known sites.

5.Malvertising Goes Offline - Malvertising is a well-known technique, whereby attackers lease advertising space on popular websites in order to facilitate an attack. This may involve targeting a known browser based vulnerability by using the ad to deliver a malicious media file (ie. Flash or images), or it could simply be used to lure unsuspecting users to a secondary, malicious site. To date, malvertising has taken place on websites. However, mobile ad platforms such as iAd (Apple) and AdMob (Google) are emerging as powerful players in an effort to control mobile advertising on tablets and smartphones. Don’t expect attackers to ignore this powerful ability to reach an entirely new set of potential victims. Malvertising could be prevented if advertising networks and host sites better filtered third party content, but history has shownus that often fails to occur.

6.More App Store Abuse - In lastyear’s security predictions, I spoke about the likelihood that malicious content would make it’s way into mobile app stores. It did take long for that prediction to cometrue. Now some would argue that even a few malicious apps sneaking past an app store gatekeeper is better than standard process of downloading applications from anywhere on the web where there is little way to know if they’ve ever been scrutinized for security issues. While true, sneaking malicious content into an app store is an attractive prospect for an attacker as they’re able to piggyback on the reputation of the app store host (Apple, Google, RIM, etc.) and potentially infect millions without needing to do anything to generate traffic to the site. In 2011, we’ll see app stores go beyond mobile devices with initiatives such as Google’s ChromeWebStore and Apple’s MacAppStore. Yes, attackers are already salivating at the opportunity to infiltrate another ‘trusted’ app store.

7.Niche Malware - Stuxnet demonstrated that malware can successfully target not just PCs or mobile devices, but any IP connected device, in that particular case, SCADA systems. While, Stuxnet may have had some additional brain power behind the attack, it’s no secret that embedded, Internet connected servers have a spotty security record both due to the lack of scrutiny that they’re subjected to and a generally non-existent patch processes. Earlier this year, I blogged about how embedded web servers have left confidential documents on thousands of HP scanners accessible to anyone with a web browser. Today, anything with a power switch is connected to the Internet. I anticipate the growth of niche malware designed to attack or harvest information from these insecure and often completely unprotected devices.

8.Cloud Shared Technology Breach - Returning to the CSAs TopThreats report, another high risk item making the list relates to vulnerabilities in shared technologies underlying the infrastructure that cloud instances reside upon. For IAAS providers, that includes the hardware, operating system and virtualization technologies. While we move up the stack to include PaaS and SaaS vendors, additional middleware and application components are shared as well. While I don’t necessarily anticipate attacks leveraging a known vulnerability in a COTS component on the infrastructure for a large cloud vendor due to stringent patching practices; I do feel that a high profile breach at a lesser-known vendor, especially one in a custom component of shared technology is quite likely.

9.Social Networking Meets Social Engineering - Attacks on end users virtually always involve social engineering - a user must be convinced to visit a web page, open and attachment, etc. Spam email has valiantly served this purpose for many years, but just as everyday users are migrating away from email and toward social networks such as Facebook and Twitter for communication, so too are hackers. This is far from a bold prediction as attackers have been abusing social networks since they first came online. For example, XSS vulnerabilities on Twitter have been used to push malicious tweets, while likejacking has emerged on Facebook as a means of promoting malicious profiles. While leveraging social networks for evil is not new, I expect 2011 to be the year that social networks become the main communication medium for attackers, not just an alternate channel.

10.Device Agnostic Attacks – As mobile devices continue to gobble up an increasing percentage of bandwidth, attackers will shift to web based, device agnostic attacks. Attacks such as XSS and clickjacking, once seen as academic attacks that were experimented with but not widespread, are now increasingly commonplace. We have witnessed numerous web-based worms, especially on Twitter, thanks to a never-ending battle against XSS vulnerabilities or likejacking - a specific type of clickjacking, targeting Facebook profiles. Why the shift, when there are no shortage of Microsoft vulnerabilities? Whereas the Windows operating system has long dominated the desktop market, the mobile space is an entirely new environment from an attack perspective. Multiple operating systems have significant market share and numerous variants of each exist. As such, operating system vulnerabilities are of less value. Web based attacks however, require nothing more than a Javascript aware web browser – something that every web enabled device from smartphones to television sets now have.

Wednesday, December 15, 2010

I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by Phishtank or Google Safe Browsing. Additionally, the type of phshing is very different from what we see in the US or other Western countries. While sites related to banking (PayPal, Bank of America, J.P. Morgan, etc.) are the primary targets of phishers overall, Chinese phishing sites are mainly focused on QQ (Instant messaging, online games, etc.) or Yahoo! Auctions.

Recently I found two Chinese phishing/scam sites: a site about stocks from Shanghai Huaer Securities, and a government lottery. These two types of sites use a large number of pages with an IFRAME displaying the main site, and both follow a similar layout. The domain names are registered to different people, so the phishers may not be affiliated.

Shanghai Huaer Securities

This site claims to be a stock trading company for the Shanghai Securities market.

Shanghai Securities trading site.

The main sites is hosted on huaerzq.com. The "Add to Favorite" links do not use the same domain, rather they leverage short links (http://www.goo.gl/YebPW) which redirect to huaer88997766.now.to, which is simply an IFRAME to huaerzq.com.

Friday, December 10, 2010

hack
verb \ˈhak\
a : to write computer programs for enjoyment
b : to gain access to a computer illegally

ac·tiv·ism
noun \ˈak-ti-ˌvi-zəm\
a : a doctrine or practice that emphasizes direct vigorous action especially in support of or opposition to one side of a controversial issue

hacktivism - hacking meets activism

Anonymous Logo

The Wikileaks saga has come with no shortage of drama and intrigue but it also serves as a remarkable example of hacktivism in the social networking era - when tools to organize and collaborate not only exist but are part of our everyday lives. The latest developments demonstrate just how quickly large, disparate groups can organize and with relatively simple technology do very real damage.

Background

Following the arrest earlier this week of Julian Assange, the now very public face of Wikileaks, a entity known as Anonymous, has led the charge to encourage DDoS attacks on a variety of websites. Anonymous, which originally emerged from 4chan must be considered an entity as opposed to a group because there is really no concept of membership. Anonymous is simply the banner under which like minded individuals gather in the name of a cause - in this case, to seek retribution for perceived corporate cooperation to cripple Wikileaks, a movement that has come to be known as Operation Payback.

Communications Infrastructure

The group conducting the attacks is open and so are the communication mediums. Coordination has occurred via Twitter, Facebook, the Anonymous website and IRC channels. While various sites have been taken down, new ones emerge to take their place just as quickly. IRC communication has occurred primarily on irc.anonops-irc.com within a variety of channels including #OperationPayback and #Target.

Takedowns are Futile

Various sites have been taken down and accounts suspended throughout the wikileaks saga, as corporations are forced to walk the delicate tightrope between free speech and reputational damage. However, in reality such efforts are futile as the modern SaaS/Cloud/Social Internet permits new communication channels to be setup elsewhere almost instantaneously and generally at no cost.

The initial Anon_Operation Twitter account was suspended (Google Cache), only to be quickly replaced by others such as Op_Payback and Anon_SpecOps, which so far remain online. These accounts have served as one of the mechanisms to focus DDoS attacks on specific targets and also share ongoing information about the attacks.

Suspended Anon_Operation Twitter account

Anon_SpecOps Twitter account announcing a new attack target - later taken offline

Facebook also quickly took down a group entitled Operation Payback which supported the effort, only to see dozens more show up in it's place.

Facebook message announcing suspension of the Operation Payback page

Wikileaks itself has setup over 1,000 mirror sites to ensure that individual takedown efforts by ISPs or DNS providers will have a limited effect overall.

Attack

The DDoS attacks have leveraged a tool known as LOIC (Low Orbit Ion Cannon), a relatively simple tool designed to flood targets with TCP/UDP packets or HTTP headers. Some versions incorporate a 'hive mind' feature which allows the tool to connect to an IRC channel where the targets can be centrally managed. Throughout the attacks this week, Anonymous has been encouraging anyone willing to participate to use LOIC to flood specific targets. While other tools and attack methods may have been used in the DDoS attacks, LOIC is the one tool that the public at large is being encouraged to adopt. If indeed the successful DDoS attempts have used nothing more than a free Internet fire hose, it is a concerning indicator of overall DDoS defenses at the targeted networks.

LOIC with the Hive Mind feature

Javascript based versions of LOIC JS have also been preconfigured with attack targets and hosted online. The advantage of this approach is that the tool requires absolutely no security knowledge for someone to participate in the attacks. Rather than needing to compile/install source code, a user simply pulls up LOIC JS in their browser and fires traffic at the target with the click of a button.

LOIC JS targeting PayPal

Contributors have even modified versions of LOIC JS for mobile devices to ensure that road warriors can participate in the attacks.

Mobile version of JS LOIC

Targets

Anonymous has targeted a variety of websites, all of which are perceived to have either caved to government demands to not support Wikileaks or have spoken out against Wikileaks and Julian Assange.

Damage

Despite the relatively unsophisticated nature of the attacks, they do appear to have been successful in at least temporarily taking sites for Visa, PayPal and Mastercard offline as can be seen in the screenshots below. Reports also indicate that DDoS attacks took down sites for Swiss bank PostFinance, the Swedish Prosecution Authority and Sarah Palin, although an attack on Amazon was unsuccessful.

downforeveryoneorjustme.com showing downtime for api.paypal.com on March 9, 2010

IRC chat discussing api.paypal.com takedown

Netcraft is maintaining a page to monitor uptime of all sites targeted by Operation Payback.

Lessons Learned

While I certainly don't condone the Anonymous attacks, it is important that we learn from them. We have seen various instances of hacktivism throughout the years, such as defacements that occurred following the mid-air collision of a US spy plane and a Chinese fighter jet or Project Chanology, an earlier Anonymous effort targeting the Church of Scientology. However, I have not previously seen a movement quite like the one that we are currently witnessing, one where literally thousands of people have come together so quickly, most with limited or no security knowledge and yet they have been able to do real damage. This has occurred in part to the nature of the story itself. It is one that has garnered a global audience, but it has also occurred because the tools to organize such an effort are now so readily available. From social networking sites to free hosting to ubiquitous broadband, the assets required are within reach of anyone with a web browser.

What should corporations and governments take away from this week's events?

Hacktivism is a legitimate threat to corporations and governments

Efforts by authorities to censor communication among hactivists is futile - it will not achieve the intended goal of halting the attacks and will more likely add fuel to the fire

While attacks may be relatively unsophisticated from a technical perspective, they can be successful nonetheless

They got the guns, but we got the numbersGonna win yeah, we're taking over.
"Five to One", The Doors

Tuesday, December 7, 2010

While there is nothing new or Earth-shattering in this post, I thought I'd share what I have seen as the top abuses of open web proxies - as this is an everyday occurrence involving a large volume of web transactions and is a constant annoyance on the Internet.

An "open proxy" is...In other-words a server that anyone on the Internet can forward traffic through. There are various flavors of open proxies:

Transparent open proxy - includes originating IP address within the headers or a cookie so the traffic can be traced back to the source (common in a caching proxy setup).

Anonymous open proxy - mask/hide the originating IP address of the traffic. However, there is often a tag from the proxy identifying the proxy version, etc. so that the destination server could identify the traffic as being sent through a proxy.

"Elite" open proxy - provides no indication to the destination server that the traffic has been forwarded. These are the most desirable form of proxies in the underground.

I've analyzed many thousands of transactions on a few "elite" open web proxies, to determine how they are being used (abused). This is the general breakdown of the percentage of the transactions that I analyzed (there were over a quarter of a million total that I reviewed).

#1: Distributed Brute-Forcing:

This is the repeated attempt at trying username / password combinations to gain unauthorized access to accounts. Within the abuse of open web proxies, I have seen repeated abuse of the proxies. For example, proxies are often used to brute-force Yahoo! and Rapidshare accounts. As these target sites identify the brute-forcing activity, they block the source IP address from further attempts - so the brute-force attempts are distributed among open proxies to mask and vary the source IP addresses of the attempts.

The Yahoo brute-force attempts primarily appear as HTTP GET requests taking a variety of forms:

Note: For both Yahoo and Rapidshare IP addresses and domain names are rotated through. For example:

Log Snippet of Yahoo Brute-Forcing

#2: Comment / Forum Spamming:

This is the mass-posting of "comments" onto blogs, forums, guestbooks, and other sites that allow open interaction with the sites. These comments include the "spam advertisement" variety ranging from porn, pharma, gambling, and pay-per-click affiliates. The other variety is the SEO variety in which the comments include links back to a page they are trying to increase search engine ranking for. Some SEO tools like XRumer include this functionality to include automatic registration and CAPTCHA bypass for posting to sites.

The comment spam HTTP GETs vary depending on the forum setup, but many followed the formats:

<site_page>.php?act=post&do=new_post&f=<forum_id>

<site_page>.php?do=newthread&f=<forum_id>

<site_page>.php?mode=post&f=<forum_id>&sid=<session_id>

<site_page>comment/reply/<story_id>

Snippet of logs showing the forum spamming

Following the spam from one of the forum spammers, shows that they are trying to increase the visibility to World of Warcraft auction sites (e.g., cash for WoW gold).

Sample spam message:

WoW auction site:#3 Pay-to-click (PTC) "Cheating"

PTC/PTP/PTR sites are: pay-to-click, pay-to-promote, pay-to read ads / fill out surveys. These sites are businesses with varying degrees of legitimacy - I doubt the site owners/members pay taxes, in some cases the site owners don't pay out their members, and in many cases the members try to "cheat" the sites using things like botnets or infected machines.

The business model is basic: web site owners and advertisers pay PTC sites to promote their site. In turn, PTC members receive a fraction of a cent for each click they generate to the advertised site. PTC members also receive commissions for referring new members to sign-up. As such, new members fall into a pyramid hierarchy in which a small percentage of their revenue is given to the referring user. PTC sites have varying degrees of memberships and also limit the number of times that a member can generate revenue from a participating site.

PTC members that try to cheat the system attempt to create as many referred users under them as possible to generate a commission, and from each newly created referrer, automatically click through the participating sites, generating a daily revenue stream something along the following lines:

PTC sites are aware of members attempting to cheat, so they look at things like the source IP of the transactions and identify and ban users when multiple accounts all come from the same IP address. PTC sites also try to identify if the transactions are being forwarded from a proxy - because of these checks, "elite" proxies unknown to the PTC sites are in high demand.

Here is an example of a PTC site that I saw being "cheated":Note: there are many of these PTC sites, and they all look fairly similar to this setup.

On the homepage of the site, top earners are displayed:The number 3 daily earner for this PTC site is "dominic1102" - looking at logs, I see this PTC member generating a large number of referrals to make commissions and increase their click volume. Example format:

www.tuxedocatsclicks.info/index.php?ref=dominic1102

The "dominic1102" handle and client IP (123.134.112.84) was used for a number of other PTC sites as well, e.g., www.lakotaptc.info/index.php?ref=dominic1102

Log snippet of PTC cheating

#4 IRC / ICQ Masking

Users of chat networks frequently what to hide their source IP address. Whether the user is engaged in illegal activity (e.g., selling stolen credentials) or wanting to remain anonymous in case a flame war erupts followed by a denial of service attack.

# 5 Proxy Testing / Reveal host IP:

It appears that a portion of the traffic analyzed comes from automated checks to identify open proxies. Once connected, the proxy is tested to see which IP address is exposed on the Internet when traffic is forwarded through the proxy.

# 6 Other Browsing and Site Scraping

This includes a variety of things, ranging from general browsing, porn and other "not safe for work" (NSFW) surfing and regular page scraping. Based on the transaction timestamps in the logs, much of the porn surfing appeared to be automated scraping of pornographic images.

Monday, December 6, 2010

I have looked at 1,123 legitimate sites which have been hijacked to host spam pages redirecting users to a fake AV page. I'd assumed that most of them would be running WordPress, Joomla!, OSCommerce and other open source software known to have a history of security issues. In reality, these software packages actually represent less than 15% of all hijacked sites.

Type of Software used to create the hijacked sites

Also, a large number of hijacked sites actually had no dynamic pages - they contained only images, JavaScript, CSS and HTML files. As such, they are unlikely to have been hacked through a vulnerability in the software installed. Therefore, we can assume that one of the two following techniques were leveraged to add the PHP scripts used to generate spam pages to the sites:

Admin credentials have been stolen/brute forced, or webmaster kept the default login/password. The malicious scripts where simply uploaded using their FTP account or a web based admin interface.

Shared hosting servers could have been compromised.

The second possibility is the most likely. There have been mass-infections reported in the past for GoDaddy, BlueHost, Dreamhost, etc. The distribution of hacked sites by hosting companies is interesting:

The Endurance International Group, which owns 20 hosting companies (iPowerWeb, Pow Web, Dot5 Hosting, StartLogic, Fatcow, Globat, etc.) hosts 38% of the hijacked sites. Bluehost, a rather small hosting provider, represents 28% of the hijacked sites. However, the biggest providers host a small proportion of sites used for malicious spamming: 2% for GoDaddy, and less than 0.5% for 1&1.

It seems that most of the legitimate sites have been hijacked through a vulnerability in their hosting platform rather than in the software they are running. That's not good news for the webmaster who wants to keep his site safe: part of the problem is out of their control, keeping your WordPress or Drupal version up to date and locked down is not enough - you also need to seek out a secure hosting provider.